Feature Legal — 27 July 2018

GDPR – four letters that can strike confusion and fear into any business. General Data Protection Regulation demands greater accountability and transparency from organisations about how they collect, process and store personal information.

Talk of the need for data protection officers and fines for perceived non-compliance are just two of the elements of the legislation, which came into effect on May 25, that have left many small business owners reaching for the headache pills.

However, the migraine may be more mirage than reality. After all, we already had a Data Protection Act prior to May 25 and much of the GDPR’s core principles are similar.

Even so, these are complex and testing matters which could, if not careful, have significant workload and budgetary implications. A business must prove compliance – this is no time for half measures.

One way to ease the situation is to bring in expertise. Again, however, this a matter of trust. When it comes to such a major step in day to day business protocol, only those fully equipped to reassure and act should ever be invited through the door.

When Central Medical Supplies, a complex business distributing medical devices to hospitals around the UK, as well as leading maternity retail brands, looked at their responsibilities to meet the GDPR legislation, they were fortunate to have a well-established and successful relationship with digital powerhouse Fifteen Group, the Stoke-on-Trent based technology expert which offers IT and software support for businesses across the UK.

“Our business is complex due to the large spread of customers we’ve got,” explains Central Medical Supplies technical director Andy Swann. “Not only have we got hundreds of NHS and private hospitals on our books but we also do a certain amount for the retail trade with baby products.

“GDPR is a challenge that all companies are having to deal with – a situation where we needed expert guidance. In our case we have a long established relationship with Fifteen Group and they immediately helped us out. They were able to ensure we comply with every area of the legislation.

“For a lot of small and medium-sized businesses these kind of things can’t be done in-house,” adds Andy. “Unless you are prepared to employ a couple of IT experts it’s best to sub-contract it out to someone with the expertise of Fifteen Group.

“In our case, they have always been good at flagging upcoming issues that might affect us – issues that affect them too.”

Fifteen Group director Mark Adams has been at the heart of Central Medical Supplies’ GDPR programme.

“GDPR applies to all data,” he explains. “It’s good practice to be aware of what data you hold, and where it is held. I have dealt with companies that, in all honesty, probably couldn’t say where that information is, where it is held.

“A lot of trust is put into third parties such as IT companies. Some of those IT companies then outsource to different vendors – they themselves might have servers in different countries. It’s about being aware of where your data is and how you can protect it.

“Central Medical Supplies is a good company. They knew right from the start that they needed to be on top of GDPR. They came up with a project plan and then called on us for the technical measures that needed putting in place, such as with the IT systems.

“We have rolled out an encryption package for them, which is centrally managed by us. By managing it remotely, clearly we are leaving them to get on with what they are best at.”

Six weeks on from the deadline, companies may think they have GDPR under control. Fifteen Group is adept at looking at areas that might otherwise have been forgotten.

“Central Medical Supplies has sales reps off-site,” continues Mark, “which means if one of them forgets the encryption then we can resend it. If potentially there’s a problem, we can also send a kill pill to a device when it’s out in the field.

“There are many different things we can do. Multi-factor authentication is another. An employee, for instance, might have an app on their phone which they are required to click before they are allowed to log in, a barrier that can apply to web-based systems as well as PCs. That clearly helps stop breaches – it’s very difficult for someone to know your credentials.”

It is clear that every company should by now have a solid and sustainable GDPR plan. If your company needs help to meet its obligations, the outsourcing market, as represented by Fifteen Group, is a cost and time efficient place to look.

Data protection is the challenge of now – it cannot be ignored.

Share

About Author

MIB

(0) Readers Comments

Comments are closed.